It's always interesting to hear how security practitioners got their start and the many lessons they apply from their experiences outside the world of infosec. Some began their careers at a help desk; others began with the basics of network architecture. Quite a few started in the military.
J.J. Guy, co-founder and CEO of Sevco Security, was assigned to the Air Force red team as part of what was known as the Air Force Information Warfare Center when he joined active service. His position gave him an opportunity to explore the offensive and defensive sides of security.
"The Air Force was unique in that from an IT side, we were not only the red team but also the blue team," he says. "One week I would go break into an Air Force network, then the next week I would sit down with defenders as part of the blue team to try to figure out, institutionally, how do I keep that from happening."
At the time, he says, the Air Force had some 450,000 devices connected to the network across 132 separate enclaves.
"It was a major enterprise and all of the complexity that comes with that," Guy adds.
As a part of this team, he learned what the industry now calls "inevitability of compromise": Targeted attacks, now known as advanced persistent threats, occurred regularly.
"The Chinese were breaking into our networks every day, and we were playing a game of whack-a-mole trying to keep them out," he notes.
Years later, private-sector defenders would begin to worry about fighting similar problems. Guy's military experience gave him an "in-depth crash course" in defending against targeted attackers — years ahead of enterprise security teams.
Guy recognized the value of red team skills and experience and felt compelled to continue and broaden his mission to whole computer network operations. He was in the military as an active-duty member or contractor from 2000 through 2011, then left the federal sector to join Carbon Black — pulling its team together in November 2012, he says. A few years later, including another role as CTO at Jask, Guy founded Sevco Security.
Many of his military lessons translated to his enterprise roles, he says. A primary one is the inevitability of compromise that businesses now face.
"You cannot stop a targeted attacker from gaining access to your network if they want," Guy adds. "If you or your organization hasn't been compromised, it isn't because you're doing great work. It's because it hasn't been worth someone's time to do so."
Another lesson centers around accountability culture and the sense of personal responsibility. In the military, Guy says, he was in many operational situations that were time-critical and human lives were on the line. This brought an edge of "get it done, make it go, make it work" to achieving an objective. In a tiny startup, while not a life-and-death situation, there is a sense of personal accountability when a team of 10 to 20 people is building something from scratch.
"We absolutely, 100% count on the contributions of every single person around the table," he says.
Aim for Best Based on What You Know, Not Perfection
The importance of putting the right team around you is something Andrew Maloney, co-founder and COO of Query.AI, learned during his time as a systems admin and security engineer with the Air Force. He spoke of the bond formed with his team in basic training and technical school.
"Trust and camaraderie you build; that goes a long way toward working to a common goal together," Maloney says. "This is the foundation of any startup — nobody has all the answers out the gate. It's a roller coaster every day."
Maloney learned computer basics stationed at Andrews Air Force base after tech school. He started on the help desk, where he learned about networking and administration, and later got into security when deployed in Oman just after the start of the Iraq war. In his role monitoring base communications, he did remote firewall management and monitored Web proxies.
The knowledge he gained on the help desk set the stage for his security career, Maloney says.
"The thing I like the most about the old method for this is that security is not a single expertise in one thing," he explains. "To be effective in security you really need to understand how all of these components fit together … starting on the help desk and moving forward. While it's a longer path, it ensures you have foundational knowledge through all of those collective areas."
When Maloney interviewed with Lockheed Martin for a job in the East SOC, he wasn't asked any theoretical questions, he says. It was all about practical experience: how to configure a Cisco router, which ports and protocols these technologies use — all things he learned in his military years. He later left to go work for the Missile Defense Agency, then went into the private sector.
Maloney founded Query.AI to aid companies in centralized data access and insights. One of the military lessons he continues to use as a startup leader is attention to detail. "Done is better than perfect" is a commonly used adage in the startup community — the idea being that if one strives for perfection, they'll never reach an end state. But Maloney says the details do matter.
"I do think if you're looking at details and always trying to do the best thing you can do with that time, while perfection might be out of reach, you'll be a whole lot better than average or good," he says.
He also points to the importance of facing challenges without the advantage of extensive training or preparation. In the military, "very seldom is there an option to have all the answers," Maloney says. "You're always going, to some extent, off gut and the best information available. While you want perfection, you don't have the privilege of decisiveness and delayed action."
Transparency in Leadership Matters
Tom Pace, co-founder and CEO of NetRise, knew he wanted to work in cybersecurity from a young age, but he didn't land in his defensive career until serving as an intelligence specialist with the Marine Corps. In between deployments he took technical and criminology classes, self-taught on different topics, and entered a computer science program after he left the military.
After working in incident response and cybersecurity engineering at PNC, industrial control system security for the Department of Energy, and IR consulting at Cylance, Pace went on to found NetRise after identifying a broad need for identifying and determining the impact of vulnerabilities and risks of connected devices not only in ICS environments, but in several key industries, such as automotive, manufacturing, satellites, and other categories of IoT devices.
"It got me a lot more exposure to the breadth of the problem and made me realize it's not relegated to industrial control systems," he says of working in different environments. "It became wildly obvious that manufacturers, end users, and many other personas understand this problem exists and care that it's a problem, but they're unaware of any solutions that can address it for them."
Being direct and transparent is something Pace has carried over from military life into startup leadership. "That's generally the mentality of the military," he says. "There's not a whole lot of room for, 'I wonder what he actually meant.' That doesn't exist a whole lot."
Giving people a reason for why you're doing something, even if it doesn't seem necessary, is also important, he adds.
Another lesson learned: "Don't ask other people to do things that you wouldn't be willing to do," he says. "That's super important, especially at a startup." As the leader, he says, it's his job to take on the less-than-exciting duties and make sure they get done.
Expanding Opportunities for Vets
For many military personnel, especially those who didn't start a career or education before they entered military service, the question of how to transition into a career is tough. Several organizations in recent years have begun to offer resources and training programs to help with the transition into cybersecurity roles.
The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans. The Department of Homeland Security offers a user guide, "Cybersecurity Training and Education for Veterans," to help those who are interested create a career plan.
Private sector companies are also jumping in. Microsoft Software and Systems Academy (MSSA) was created to provide transitioning service members and veterans with career skills needed in the modern tech industry. Graduates have a chance to interview for a full-time job with Microsoft or one of the company's hiring partners. The Commonwealth of Virginia has partnered with businesses such as Cisco and AWS to sponsor security training and certifications for veterans.
At Synack, the Veterans Cyber Program aims to recruit qualified veterans and give them the tools they'll need to join Synack's Red Team. Interested veterans might also check out CyberVetsUSA, which offers free online training, certification, and employment opportunities to transitioning service members, veterans, National Guard and Reservists, and military spouses who want to enter the cybersecurity workforce.
Many colleges and universities across the country, among them Drexel University, University of Nebraska at Omaha, and Syracuse University, also offer specialized programs for veterans and military personnel who want to enter the field.